Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On 03/01/12 18:57, Russell Coker wrote:
> On Fri, 2 Mar 2012, Jordon Bedwell <envygeeks@gmail.com> wrote:
>>> Run the command below.
>>>
>>> grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $?
>>>
>>> If you don't get 1 as output, your sshd is compromised.
>> It returned 1, this happens on freshly installed Debian and Ubuntu too
>> though, tested it on Ubuntu too.
> http://etbe.coker.com.au/2011/12/31/server-cracked/
>
> If you havd a sshd that is compromised in the same way as one was on one of my
> servers then Anibal's command will give an output of 0.
>
> I don't know what relevance this has to a discussion of OpenSSH logging
> though.
>
> I'd like to have OpenSSH log the email address field from a key that was used
> for login so I could see something like "ssh key russell@coker.com.au was used
> to login to account rjc" in my logs.
>
>From what I know that information(the comment on the key) is not vary
secure, Joe could put Bob as his comment...
However one could so a look-up on the key from a key-server and get the
email address that way. This is assuming that ppl are using there
gpg(email) keys for ssh.
Reply to: